Palo Alto Networks, Inc.
EXECUTION BEHAVIOR ANALYSIS TEXT-BASED ENSEMBLE MALWARE DETECTOR

Abstract:

A malware detector has been designed that uses a combination of NLP techniques on dynamic malware analysis reports for malware classification of files. The malware detector aggregates text-based features identified in different pre-processing pipelines that correspond to different types of properties of a dynamic malware analysis report. From a dynamic malware analysis report, the pre-processing pipelines of the malware detector generate a first feature set based on individual text tokens and a second feature set based on n-grams. The malware detector inputs the first feature set into a trained neural network having an embedding layer. The malware detector then extracts a dense layer from the trained neural network and aggregates the extracted layer with the second feature set to form an input for a trained boosting model. The malware detector inputs the cross-pipeline feature values into the trained boosting model to generate a malware detection output.